[thirdparty/systemd.git] / src / journal / journald-audit.c

/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/

/***
  This file is part of systemd.

  Copyright 2014 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include "missing.h"
#include "journald-audit.h"

typedef struct MapField {
        const char *audit_field;
        const char *journal_field;
        int (*map)(const char *field, const char **p, struct iovec **iov, size_t *n_iov_allocated, unsigned *n_iov);
} MapField;

static int map_simple_field(const char *field, const char **p, struct iovec **iov, size_t *n_iov_allocated, unsigned *n_iov) {
        _cleanup_free_ char *c = NULL;
        size_t l = 0, allocated = 0;
        const char *e;

        assert(field);
        assert(p);
        assert(iov);
        assert(n_iov);

        l = strlen(field);
        allocated = l + 1;
        c = malloc(allocated);
        if (!c)
                return -ENOMEM;

        memcpy(c, field, l);
        for (e = *p; *e != ' ' && *e != 0; e++) {
                if (!GREEDY_REALLOC(c, allocated, l+2))
                        return -ENOMEM;

                c[l++] = *e;
        }

        c[l] = 0;

        if (!GREEDY_REALLOC(*iov, *n_iov_allocated, *n_iov + 1))
                return -ENOMEM;

        (*iov)[*n_iov].iov_base = c;
        (*iov)[*n_iov].iov_len = l;
        (*n_iov) ++;

        *p = e;
        c = NULL;

        return 1;
}

static int map_string_field_internal(const char *field, const char **p, struct iovec **iov, size_t *n_iov_allocated, unsigned *n_iov, bool filter_printable) {
        _cleanup_free_ char *c = NULL;
        const char *s, *e;
        size_t l;

        assert(field);
        assert(p);
        assert(iov);
        assert(n_iov);

        /* The kernel formats string fields in one of two formats. */

        if (**p == '"') {
                /* Normal quoted syntax */
                s = *p + 1;
                e = strchr(s, '"');
                if (!e)
                        return 0;

                l = strlen(field) + (e - s);
                c = malloc(l+1);
                if (!c)
                        return -ENOMEM;

                *((char*) mempcpy(stpcpy(c, field), s, e - s)) = 0;

                e += 1;

        } else if (unhexchar(**p) >= 0) {
                /* Hexadecimal escaping */
                size_t allocated = 0;

                l = strlen(field);
                allocated = l + 2;
                c = malloc(allocated);
                if (!c)
                        return -ENOMEM;

                memcpy(c, field, l);
                for (e = *p; *e != ' ' && *e != 0; e += 2) {
                        int a, b;
                        uint8_t x;

                        a = unhexchar(e[0]);
                        if (a < 0)
                                return 0;

                        b = unhexchar(e[1]);
                        if (b < 0)
                                return 0;

                        x = ((uint8_t) a << 4 | (uint8_t) b);

                        if (filter_printable && x < (uint8_t) ' ')
                                x = (uint8_t) ' ';

                        if (!GREEDY_REALLOC(c, allocated, l+2))
                                return -ENOMEM;

                        c[l++] = (char) x;
                }

                c[l] = 0;
        } else
                return 0;

        if (!GREEDY_REALLOC(*iov, *n_iov_allocated, *n_iov + 1))
                return -ENOMEM;

        (*iov)[*n_iov].iov_base = c;
        (*iov)[*n_iov].iov_len = l;
        (*n_iov) ++;

        *p = e;
        c = NULL;

        return 1;
}

static int map_string_field(const char *field, const char **p, struct iovec **iov, size_t *n_iov_allocated, unsigned *n_iov) {
        return map_string_field_internal(field, p, iov, n_iov_allocated, n_iov, false);
}

static int map_string_field_printable(const char *field, const char **p, struct iovec **iov, size_t *n_iov_allocated, unsigned *n_iov) {
        return map_string_field_internal(field, p, iov, n_iov_allocated, n_iov, true);
}

static int map_generic_field(const char *prefix, const char **p, struct iovec **iov, size_t *n_iov_allocated, unsigned *n_iov) {
        const char *e, *f;
        char *c, *t;
        int r;

        /* Implements fallback mappings for all fields we don't know */

        for (e = *p; e < *p + 16; e++) {

                if (*e == 0 || *e == ' ')
                        return 0;

                if (*e == '=')
                        break;

                if (!((*e >= 'a' && *e <= 'z') ||
                      (*e >= 'A' && *e <= 'Z') ||
                      (*e >= '0' && *e <= '9') ||
                      *e == '_' || *e == '-'))
                        return 0;
        }

        if (e <= *p || e >= *p + 16)
                return 0;

        c = alloca(strlen(prefix) + (e - *p) + 2);

        t = stpcpy(c, prefix);
        for (f = *p; f < e; f++) {
                char x;

                if (*f >= 'a' && *f <= 'z')
                        x = (*f - 'a') + 'A'; /* uppercase */
                else if (*f == '-')
                        x = '_'; /* dashes → underscores */
                else
                        x = *f;

                *(t++) = x;
        }
        strcpy(t, "=");

        e ++;

        r = map_simple_field(c, &e, iov, n_iov_allocated, n_iov);
        if (r < 0)
                return r;

        *p = e;
        return r;
}

/* Kernel fields are those occurring in the audit string before
 * msg='. All of these fields are trusted, hence carry the "_" prefix.
 * We try to translate the fields we know into our native names. The
 * other's are generically mapped to _AUDIT_FIELD_XYZ= */
static const MapField map_fields_kernel[] = {

        /* First, we map certain well-known audit fields into native
         * well-known fields */
        { "pid=",       "_PID=",                   map_simple_field },
        { "ppid=",      "_PPID=",                  map_simple_field },
        { "uid=",       "_UID=",                   map_simple_field },
        { "euid=",      "_EUID=",                  map_simple_field },
        { "fsuid=",     "_FSUID=",                 map_simple_field },
        { "gid=",       "_GID=",                   map_simple_field },
        { "egid=",      "_EGID=",                  map_simple_field },
        { "fsgid=",     "_FSGID=",                 map_simple_field },
        { "tty=",       "_TTY=",                   map_simple_field },
        { "ses=",       "_AUDIT_SESSION=",         map_simple_field },
        { "auid=",      "_AUDIT_LOGINUID=",        map_simple_field },
        { "subj=",      "_SELINUX_CONTEXT=",       map_simple_field },
        { "comm=",      "_COMM=",                  map_string_field },
        { "exe=",       "_EXE=",                   map_string_field },
        { "proctitle=", "_CMDLINE=",               map_string_field_printable },

        /* Some fields don't map to native well-known fields. However,
         * we know that they are string fields, hence let's undo
         * string field escaping for them, though we stick to the
         * generic field names. */
        { "path=",      "_AUDIT_FIELD_PATH=",      map_string_field },
        { "dev=",       "_AUDIT_FIELD_DEV=",       map_string_field },
        { "name=",      "_AUDIT_FIELD_NAME=",      map_string_field },
        {}
};

/* Userspace fields are those occurring in the audit string after
 * msg='. All of these fields are untrusted, hence carry no "_"
 * prefix. We map the fields we don't know to AUDIT_FIELD_XYZ= */
static const MapField map_fields_userspace[] = {
        { "cwd=",       "AUDIT_FIELD_CWD=",  map_string_field },
        { "cmd=",       "AUDIT_FIELD_CMD=",  map_string_field },
        { "acct=",      "AUDIT_FIELD_ACCT=", map_string_field },
        { "exe=",       "AUDIT_FIELD_EXE=",  map_string_field },
        { "comm=",      "AUDIT_FIELD_COMM=", map_string_field },
        {}
};

static int map_all_fields(
                const char *p,
                const MapField map_fields[],
                const char *prefix,
                bool handle_msg,
                struct iovec **iov,
                size_t *n_iov_allocated,
                unsigned *n_iov) {

        int r;

        assert(p);
        assert(iov);
        assert(n_iov_allocated);
        assert(n_iov);

        for (;;) {
                bool mapped = false;
                const MapField *m;
                const char *v;

                p += strspn(p, WHITESPACE);

                if (*p == 0)
                        return 0;

                if (handle_msg) {
                        v = startswith(p, "msg='");
                        if (v) {
                                const char *e;
                                char *c;

                                /* Userspace message. It's enclosed in
                                   simple quotation marks, is not
                                   escaped, but the last field in the
                                   line, hence let's remove the
                                   quotation mark, and apply the
                                   userspace mapping instead of the
                                   kernel mapping. */

                                e = endswith(v, "'");
                                if (!e)
                                        return 0; /* don't continue splitting up if the final quotation mark is missing */

                                c = strndupa(v, e - v);
                                return map_all_fields(c, map_fields_userspace, "AUDIT_FIELD_", false, iov, n_iov_allocated, n_iov);
                        }
                }

                /* Try to map the kernel fields to our own names */
                for (m = map_fields; m->audit_field; m++) {
                        v = startswith(p, m->audit_field);
                        if (!v)
                                continue;

                        r = m->map(m->journal_field, &v, iov, n_iov_allocated, n_iov);
                        if (r < 0)
                                return log_debug_errno(r, "Failed to parse audit array: %m");

                        if (r > 0) {
                                mapped = true;
                                p = v;
                                break;
                        }
                }

                if (!mapped) {
                        r = map_generic_field(prefix, &p, iov, n_iov_allocated, n_iov);
                        if (r < 0)
                                return log_debug_errno(r, "Failed to parse audit array: %m");

                        if (r == 0) {
                                /* Couldn't process as generic field, let's just skip over it */
                                p += strcspn(p, WHITESPACE);
                        }
                }
        }
}

static void process_audit_string(Server *s, int type, const char *data, size_t size) {
        _cleanup_free_ struct iovec *iov = NULL;
        size_t n_iov_allocated = 0;
        unsigned n_iov = 0, k;
        uint64_t seconds, msec, id;
        const char *p;
        unsigned z;
        char id_field[sizeof("_AUDIT_ID=") + DECIMAL_STR_MAX(uint64_t)],
             type_field[sizeof("_AUDIT_TYPE=") + DECIMAL_STR_MAX(int)],
             source_time_field[sizeof("_SOURCE_REALTIME_TIMESTAMP=") + DECIMAL_STR_MAX(usec_t)];
        char *m;

        assert(s);

        if (size <= 0)
                return;

        if (!data)
                return;

        /* Note that the input buffer is NUL terminated, but let's
         * check whether there is a spurious NUL byte */
        if (memchr(data, 0, size))
                return;

        p = startswith(data, "audit");
        if (!p)
                return;

        if (sscanf(p, "(%" PRIu64 ".%" PRIu64 ":%" PRIu64 "):%n",
                   &seconds,
                   &msec,
                   &id,
                   &k) != 3)
                return;

        p += k;
        p += strspn(p, WHITESPACE);

        if (isempty(p))
                return;

        n_iov_allocated = N_IOVEC_META_FIELDS + 7;
        iov = new(struct iovec, n_iov_allocated);
        if (!iov) {
                log_oom();
                return;
        }

        IOVEC_SET_STRING(iov[n_iov++], "_TRANSPORT=audit");

        sprintf(source_time_field, "_SOURCE_REALTIME_TIMESTAMP=%" PRIu64,
                (usec_t) seconds * USEC_PER_SEC + (usec_t) msec * USEC_PER_MSEC);
        IOVEC_SET_STRING(iov[n_iov++], source_time_field);

        sprintf(type_field, "_AUDIT_TYPE=%i", type);
        IOVEC_SET_STRING(iov[n_iov++], type_field);

        sprintf(id_field, "_AUDIT_ID=%" PRIu64, id);
        IOVEC_SET_STRING(iov[n_iov++], id_field);

        assert_cc(32 == LOG_AUTH);
        IOVEC_SET_STRING(iov[n_iov++], "SYSLOG_FACILITY=32");
        IOVEC_SET_STRING(iov[n_iov++], "SYSLOG_IDENTIFIER=audit");

        m = alloca(strlen("MESSAGE=<audit-") + DECIMAL_STR_MAX(int) + strlen("> ") + strlen(p) + 1);
        sprintf(m, "MESSAGE=<audit-%i> %s", type, p);
        IOVEC_SET_STRING(iov[n_iov++], m);

        z = n_iov;

        map_all_fields(p, map_fields_kernel, "_AUDIT_FIELD_", true, &iov, &n_iov_allocated, &n_iov);

        if (!GREEDY_REALLOC(iov, n_iov_allocated, n_iov + N_IOVEC_META_FIELDS)) {
                log_oom();
                goto finish;
        }

        server_dispatch_message(s, iov, n_iov, n_iov_allocated, NULL, NULL, NULL, 0, NULL, LOG_NOTICE, 0);

finish:
        /* free() all entries that map_all_fields() added. All others
         * are allocated on the stack or are constant. */

        for (; z < n_iov; z++)
                free(iov[z].iov_base);
}

void server_process_audit_message(
                Server *s,
                const void *buffer,
                size_t buffer_size,
                const struct ucred *ucred,
                const union sockaddr_union *sa,
                socklen_t salen) {

        const struct nlmsghdr *nl = buffer;

        assert(s);

        if (buffer_size < ALIGN(sizeof(struct nlmsghdr)))
                return;

        assert(buffer);

        /* Filter out fake data */
        if (!sa ||
            salen != sizeof(struct sockaddr_nl) ||
            sa->nl.nl_family != AF_NETLINK ||
            sa->nl.nl_pid != 0) {
                log_debug("Audit netlink message from invalid sender.");
                return;
        }

        if (!ucred || ucred->pid != 0) {
                log_debug("Audit netlink message with invalid credentials.");
                return;
        }

        if (!NLMSG_OK(nl, buffer_size)) {
                log_error("Audit netlink message truncated.");
                return;
        }

        /* Ignore special Netlink messages */
        if (IN_SET(nl->nlmsg_type, NLMSG_NOOP, NLMSG_ERROR))
                return;

        /* Below AUDIT_FIRST_USER_MSG theer are only control messages, let's ignore those */
        if (nl->nlmsg_type < AUDIT_FIRST_USER_MSG)
                return;

        process_audit_string(s, nl->nlmsg_type, NLMSG_DATA(nl), nl->nlmsg_len - ALIGN(sizeof(struct nlmsghdr)));
}

static int enable_audit(int fd, bool b) {
        struct {
                union {
                        struct nlmsghdr header;
                        uint8_t header_space[NLMSG_HDRLEN];
                };
                struct audit_status body;
        } _packed_ request = {
                .header.nlmsg_len = NLMSG_LENGTH(sizeof(struct audit_status)),
                .header.nlmsg_type = AUDIT_SET,
                .header.nlmsg_flags = NLM_F_REQUEST,
                .header.nlmsg_seq = 1,
                .header.nlmsg_pid = 0,
                .body.mask = AUDIT_STATUS_ENABLED,
                .body.enabled = b,
        };
        union sockaddr_union sa = {
                .nl.nl_family = AF_NETLINK,
                .nl.nl_pid = 0,
        };
        struct iovec iovec = {
                .iov_base = &request,
                .iov_len = NLMSG_LENGTH(sizeof(struct audit_status)),
        };
        struct msghdr mh = {
                .msg_iov = &iovec,
                .msg_iovlen = 1,
                .msg_name = &sa.sa,
                .msg_namelen = sizeof(sa.nl),
        };

        ssize_t n;

        n = sendmsg(fd, &mh, MSG_NOSIGNAL);
        if (n < 0)
                return -errno;
        if (n != NLMSG_LENGTH(sizeof(struct audit_status)))
                return -EIO;

        /* We don't wait for the result here, we can't do anything
         * about it anyway */

        return 0;
}

int server_open_audit(Server *s) {
        static const int one = 1;
        int r;

        if (s->audit_fd < 0) {
                static const union sockaddr_union sa = {
                        .nl.nl_family = AF_NETLINK,
                        .nl.nl_pid    = 0,
                        .nl.nl_groups = AUDIT_NLGRP_READLOG,
                };

                s->audit_fd = socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_AUDIT);
                if (s->audit_fd < 0) {
                        if (errno == EAFNOSUPPORT || errno == EPROTONOSUPPORT)
                                log_debug("Audit not supported in the kernel.");
                        else
                                log_warning_errno(errno, "Failed to create audit socket, ignoring: %m");

                        return 0;
                }

                r = bind(s->audit_fd, &sa.sa, sizeof(sa.nl));
                if (r < 0)
                        return log_error_errno(errno, "Failed to join audit multicast group: %m");
        } else
                fd_nonblock(s->audit_fd, 1);

        r = setsockopt(s->audit_fd, SOL_SOCKET, SO_PASSCRED, &one, sizeof(one));
        if (r < 0)
                return log_error_errno(errno, "Failed to set SO_PASSCRED on audit socket: %m");

        r = sd_event_add_io(s->event, &s->audit_event_source, s->audit_fd, EPOLLIN, server_process_datagram, s);
        if (r < 0)
                return log_error_errno(r, "Failed to add audit fd to event loop: %m");

        /* We are listening now, try to enable audit */
        r = enable_audit(s->audit_fd, true);
        if (r < 0)
                log_warning_errno(r, "Failed to issue audit enable call: %m");

        return 0;
}
Commit	Line	Data
875c2e22 LP	1	/-- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil --/
	2
	3	/***
	4	This file is part of systemd.
	5
	6	Copyright 2014 Lennart Poettering
	7
	8	systemd is free software; you can redistribute it and/or modify it
	9	under the terms of the GNU Lesser General Public License as published by
	10	the Free Software Foundation; either version 2.1 of the License, or
	11	(at your option) any later version.
	12
	13	systemd is distributed in the hope that it will be useful, but
	14	WITHOUT ANY WARRANTY; without even the implied warranty of
	15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	16	Lesser General Public License for more details.
	17
	18	You should have received a copy of the GNU Lesser General Public License
	19	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	20	***/
	21
	22	#include "missing.h"
	23	#include "journald-audit.h"
	24
	25	typedef struct MapField {
	26	const char *audit_field;
	27	const char *journal_field;
	28	int (map)(const char field, const char p, struct iovec iov, size_t n_iov_allocated, unsigned n_iov);
	29	} MapField;
	30
	31	static int map_simple_field(const char field, const char p, struct iovec iov, size_t n_iov_allocated, unsigned *n_iov) {
	32	_cleanup_free_ char *c = NULL;
	33	size_t l = 0, allocated = 0;
	34	const char *e;
	35
	36	assert(field);
	37	assert(p);
	38	assert(iov);
	39	assert(n_iov);
	40
	41	l = strlen(field);
	42	allocated = l + 1;
	43	c = malloc(allocated);
	44	if (!c)
	45	return -ENOMEM;
	46
	47	memcpy(c, field, l);
	48	for (e = p; e != ' ' && *e != 0; e++) {
	49	if (!GREEDY_REALLOC(c, allocated, l+2))
	50	return -ENOMEM;
	51
	52	c[l++] = *e;
	53	}
	54
	55	c[l] = 0;
	56
	57	if (!GREEDY_REALLOC(iov, n_iov_allocated, *n_iov + 1))
	58	return -ENOMEM;
	59
	60	(iov)[n_iov].iov_base = c;
	61	(iov)[n_iov].iov_len = l;
	62	(*n_iov) ++;
	63
	64	*p = e;
65	c = NULL;
66
67	return 1;
68	}
69
78fe420f	70	static int map_string_field_internal(const char field, const char p, struct iovec iov, size_t n_iov_allocated, unsigned *n_iov, bool filter_printable) {
875c2e22 LP	71	_cleanup_free_ char *c = NULL;
	72	const char s, e;
	73	size_t l;
	74
	75	assert(field);
	76	assert(p);
	77	assert(iov);
	78	assert(n_iov);
	79
	80	/* The kernel formats string fields in one of two formats. */
	81
	82	if (**p == '"') {
	83	/* Normal quoted syntax */
	84	s = *p + 1;
	85	e = strchr(s, '"');
	86	if (!e)
	87	return 0;
	88
	89	l = strlen(field) + (e - s);
	90	c = malloc(l+1);
	91	if (!c)
	92	return -ENOMEM;
	93
	94	((char) mempcpy(stpcpy(c, field), s, e - s)) = 0;
	95
	96	e += 1;
	97
	98	} else if (unhexchar(**p) >= 0) {
	99	/* Hexadecimal escaping */
	100	size_t allocated = 0;
	101
	102	l = strlen(field);
	103	allocated = l + 2;
	104	c = malloc(allocated);
	105	if (!c)
	106	return -ENOMEM;
	107
	108	memcpy(c, field, l);
	109	for (e = p; e != ' ' && *e != 0; e += 2) {
	110	int a, b;
78fe420f	111	uint8_t x;
875c2e22 LP	112
	113	a = unhexchar(e[0]);
	114	if (a < 0)
	115	return 0;
	116
	117	b = unhexchar(e[1]);
	118	if (b < 0)
	119	return 0;
	120
78fe420f LP	121	x = ((uint8_t) a << 4 \| (uint8_t) b);
	122
	123	if (filter_printable && x < (uint8_t) ' ')
	124	x = (uint8_t) ' ';
	125
875c2e22 LP	126	if (!GREEDY_REALLOC(c, allocated, l+2))
	127	return -ENOMEM;
	128
78fe420f	129	c[l++] = (char) x;
875c2e22 LP	130	}
	131
	132	c[l] = 0;
	133	} else
	134	return 0;
	135
	136	if (!GREEDY_REALLOC(iov, n_iov_allocated, *n_iov + 1))
	137	return -ENOMEM;
	138
	139	(iov)[n_iov].iov_base = c;
	140	(iov)[n_iov].iov_len = l;
	141	(*n_iov) ++;
	142
	143	*p = e;
	144	c = NULL;
	145
	146	return 1;
	147	}
	148
78fe420f LP	149	static int map_string_field(const char field, const char p, struct iovec iov, size_t n_iov_allocated, unsigned *n_iov) {
	150	return map_string_field_internal(field, p, iov, n_iov_allocated, n_iov, false);
	151	}
	152
	153	static int map_string_field_printable(const char field, const char p, struct iovec iov, size_t n_iov_allocated, unsigned *n_iov) {
	154	return map_string_field_internal(field, p, iov, n_iov_allocated, n_iov, true);
	155	}
	156
875c2e22 LP	157	static int map_generic_field(const char prefix, const char p, struct iovec iov, size_t n_iov_allocated, unsigned *n_iov) {
	158	const char e, f;
	159	char c, t;
	160	int r;
	161
	162	/* Implements fallback mappings for all fields we don't know */
	163
	164	for (e = p; e < p + 16; e++) {
	165
	166	if (e == 0 \|\| e == ' ')
	167	return 0;
	168
	169	if (*e == '=')
	170	break;
	171
	172	if (!((e >= 'a' && e <= 'z') \|\|
	173	(e >= 'A' && e <= 'Z') \|\|
	174	(e >= '0' && e <= '9') \|\|
9833a66c	175	e == '_' \|\| e == '-'))
875c2e22 LP	176	return 0;
	177	}
	178
	179	if (e <= p \|\| e >= p + 16)
	180	return 0;
	181
	182	c = alloca(strlen(prefix) + (e - *p) + 2);
	183
	184	t = stpcpy(c, prefix);
9833a66c LP	185	for (f = *p; f < e; f++) {
	186	char x;
	187
	188	if (f >= 'a' && f <= 'z')
	189	x = (f - 'a') + 'A'; / uppercase */
	190	else if (*f == '-')
	191	x = '_'; /* dashes → underscores */
	192	else
	193	x = *f;
	194
	195	*(t++) = x;
	196	}
875c2e22 LP	197	strcpy(t, "=");
	198
	199	e ++;
	200
	201	r = map_simple_field(c, &e, iov, n_iov_allocated, n_iov);
	202	if (r < 0)
	203	return r;
	204
	205	*p = e;
	206	return r;
	207	}
	208
f131770b	209	/* Kernel fields are those occurring in the audit string before
875c2e22 LP	210	* msg='. All of these fields are trusted, hence carry the "_" prefix.
	211	* We try to translate the fields we know into our native names. The
	212	* other's are generically mapped to _AUDIT_FIELD_XYZ= */
	213	static const MapField map_fields_kernel[] = {
	214
	215	/* First, we map certain well-known audit fields into native
	216	* well-known fields */
	217	{ "pid=", "_PID=", map_simple_field },
	218	{ "ppid=", "_PPID=", map_simple_field },
	219	{ "uid=", "_UID=", map_simple_field },
	220	{ "euid=", "_EUID=", map_simple_field },
	221	{ "fsuid=", "_FSUID=", map_simple_field },
	222	{ "gid=", "_GID=", map_simple_field },
	223	{ "egid=", "_EGID=", map_simple_field },
	224	{ "fsgid=", "_FSGID=", map_simple_field },
	225	{ "tty=", "_TTY=", map_simple_field },
	226	{ "ses=", "_AUDIT_SESSION=", map_simple_field },
	227	{ "auid=", "_AUDIT_LOGINUID=", map_simple_field },
	228	{ "subj=", "_SELINUX_CONTEXT=", map_simple_field },
	229	{ "comm=", "_COMM=", map_string_field },
	230	{ "exe=", "_EXE=", map_string_field },
78fe420f	231	{ "proctitle=", "_CMDLINE=", map_string_field_printable },
875c2e22 LP	232
	233	/* Some fields don't map to native well-known fields. However,
	234	* we know that they are string fields, hence let's undo
	235	* string field escaping for them, though we stick to the
	236	* generic field names. */
	237	{ "path=", "_AUDIT_FIELD_PATH=", map_string_field },
	238	{ "dev=", "_AUDIT_FIELD_DEV=", map_string_field },
	239	{ "name=", "_AUDIT_FIELD_NAME=", map_string_field },
	240	{}
	241	};
	242
f131770b	243	/* Userspace fields are those occurring in the audit string after
875c2e22 LP	244	* msg='. All of these fields are untrusted, hence carry no "_"
	245	* prefix. We map the fields we don't know to AUDIT_FIELD_XYZ= */
	246	static const MapField map_fields_userspace[] = {
	247	{ "cwd=", "AUDIT_FIELD_CWD=", map_string_field },
	248	{ "cmd=", "AUDIT_FIELD_CMD=", map_string_field },
	249	{ "acct=", "AUDIT_FIELD_ACCT=", map_string_field },
	250	{ "exe=", "AUDIT_FIELD_EXE=", map_string_field },
	251	{ "comm=", "AUDIT_FIELD_COMM=", map_string_field },
	252	{}
	253	};
	254
	255	static int map_all_fields(
	256	const char *p,
	257	const MapField map_fields[],
	258	const char *prefix,
	259	bool handle_msg,
	260	struct iovec **iov,
	261	size_t *n_iov_allocated,
	262	unsigned *n_iov) {
	263
	264	int r;
	265
	266	assert(p);
	267	assert(iov);
	268	assert(n_iov_allocated);
	269	assert(n_iov);
	270
	271	for (;;) {
	272	bool mapped = false;
	273	const MapField *m;
	274	const char *v;
	275
	276	p += strspn(p, WHITESPACE);
	277
	278	if (*p == 0)
	279	return 0;
	280
	281	if (handle_msg) {
	282	v = startswith(p, "msg='");
	283	if (v) {
	284	const char *e;
	285	char *c;
	286
	287	/* Userspace message. It's enclosed in
	288	simple quotation marks, is not
	289	escaped, but the last field in the
	290	line, hence let's remove the
	291	quotation mark, and apply the
	292	userspace mapping instead of the
	293	kernel mapping. */
	294
	295	e = endswith(v, "'");
	296	if (!e)
	297	return 0; /* don't continue splitting up if the final quotation mark is missing */
	298
	299	c = strndupa(v, e - v);
	300	return map_all_fields(c, map_fields_userspace, "AUDIT_FIELD_", false, iov, n_iov_allocated, n_iov);
	301	}
	302	}
	303
	304	/* Try to map the kernel fields to our own names */
	305	for (m = map_fields; m->audit_field; m++) {
	306	v = startswith(p, m->audit_field);
	307	if (!v)
308	continue;
309
310	r = m->map(m->journal_field, &v, iov, n_iov_allocated, n_iov);
23bbb0de MS	311	if (r < 0)
23bbb0de MS	312	return log_debug_errno(r, "Failed to parse audit array: %m");
875c2e22 LP	313
	314	if (r > 0) {
	315	mapped = true;
	316	p = v;
	317	break;
	318	}
	319	}
	320
	321	if (!mapped) {
	322	r = map_generic_field(prefix, &p, iov, n_iov_allocated, n_iov);
23bbb0de MS	323	if (r < 0)
23bbb0de MS	324	return log_debug_errno(r, "Failed to parse audit array: %m");
875c2e22 LP	325
	326	if (r == 0) {
	327	/* Couldn't process as generic field, let's just skip over it */
	328	p += strcspn(p, WHITESPACE);
	329	}
	330	}
	331	}
	332	}
	333
0b97208d	334	static void process_audit_string(Server s, int type, const char data, size_t size) {
875c2e22 LP	335	_cleanup_free_ struct iovec *iov = NULL;
	336	size_t n_iov_allocated = 0;
	337	unsigned n_iov = 0, k;
	338	uint64_t seconds, msec, id;
	339	const char *p;
	340	unsigned z;
	341	char id_field[sizeof("_AUDIT_ID=") + DECIMAL_STR_MAX(uint64_t)],
	342	type_field[sizeof("_AUDIT_TYPE=") + DECIMAL_STR_MAX(int)],
	343	source_time_field[sizeof("_SOURCE_REALTIME_TIMESTAMP=") + DECIMAL_STR_MAX(usec_t)];
25b3245f	344	char *m;
875c2e22 LP	345
	346	assert(s);
	347
	348	if (size <= 0)
	349	return;
	350
	351	if (!data)
	352	return;
	353
	354	/* Note that the input buffer is NUL terminated, but let's
	355	* check whether there is a spurious NUL byte */
	356	if (memchr(data, 0, size))
	357	return;
	358
	359	p = startswith(data, "audit");
	360	if (!p)
	361	return;
	362
1fa2f38f	363	if (sscanf(p, "(%" PRIu64 ".%" PRIu64 ":%" PRIu64 "):%n",
875c2e22 LP	364	&seconds,
	365	&msec,
	366	&id,
	367	&k) != 3)
	368	return;
	369
	370	p += k;
5034c7bc LP	371	p += strspn(p, WHITESPACE);
	372
	373	if (isempty(p))
	374	return;
875c2e22	375
cd556b6c	376	n_iov_allocated = N_IOVEC_META_FIELDS + 7;
875c2e22 LP	377	iov = new(struct iovec, n_iov_allocated);
	378	if (!iov) {
	379	log_oom();
	380	return;
	381	}
	382
	383	IOVEC_SET_STRING(iov[n_iov++], "_TRANSPORT=audit");
	384
	385	sprintf(source_time_field, "_SOURCE_REALTIME_TIMESTAMP=%" PRIu64,
	386	(usec_t) seconds * USEC_PER_SEC + (usec_t) msec * USEC_PER_MSEC);
	387	IOVEC_SET_STRING(iov[n_iov++], source_time_field);
	388
	389	sprintf(type_field, "_AUDIT_TYPE=%i", type);
	390	IOVEC_SET_STRING(iov[n_iov++], type_field);
	391
	392	sprintf(id_field, "_AUDIT_ID=%" PRIu64, id);
	393	IOVEC_SET_STRING(iov[n_iov++], id_field);
	394
cd556b6c ZJS	395	assert_cc(32 == LOG_AUTH);
	396	IOVEC_SET_STRING(iov[n_iov++], "SYSLOG_FACILITY=32");
	397	IOVEC_SET_STRING(iov[n_iov++], "SYSLOG_IDENTIFIER=audit");
	398
124aff62 LP	399	m = alloca(strlen("MESSAGE=<audit-") + DECIMAL_STR_MAX(int) + strlen("> ") + strlen(p) + 1);
124aff62 LP	400	sprintf(m, "MESSAGE=<audit-%i> %s", type, p);
875c2e22 LP	401	IOVEC_SET_STRING(iov[n_iov++], m);
	402
	403	z = n_iov;
	404
	405	map_all_fields(p, map_fields_kernel, "_AUDIT_FIELD_", true, &iov, &n_iov_allocated, &n_iov);
	406
	407	if (!GREEDY_REALLOC(iov, n_iov_allocated, n_iov + N_IOVEC_META_FIELDS)) {
	408	log_oom();
	409	goto finish;
	410	}
	411
0b97208d	412	server_dispatch_message(s, iov, n_iov, n_iov_allocated, NULL, NULL, NULL, 0, NULL, LOG_NOTICE, 0);
875c2e22 LP	413
	414	finish:
	415	/* free() all entries that map_all_fields() added. All others
	416	* are allocated on the stack or are constant. */
	417
	418	for (; z < n_iov; z++)
	419	free(iov[z].iov_base);
	420	}
	421
	422	void server_process_audit_message(
	423	Server *s,
	424	const void *buffer,
	425	size_t buffer_size,
	426	const struct ucred *ucred,
875c2e22 LP	427	const union sockaddr_union *sa,
	428	socklen_t salen) {
	429
	430	const struct nlmsghdr *nl = buffer;
	431
	432	assert(s);
	433
	434	if (buffer_size < ALIGN(sizeof(struct nlmsghdr)))
	435	return;
	436
	437	assert(buffer);
	438
	439	/* Filter out fake data */
	440	if (!sa \|\|
	441	salen != sizeof(struct sockaddr_nl) \|\|
	442	sa->nl.nl_family != AF_NETLINK \|\|
	443	sa->nl.nl_pid != 0) {
	444	log_debug("Audit netlink message from invalid sender.");
	445	return;
	446	}
	447
	448	if (!ucred \|\| ucred->pid != 0) {
	449	log_debug("Audit netlink message with invalid credentials.");
	450	return;
	451	}
	452
	453	if (!NLMSG_OK(nl, buffer_size)) {
	454	log_error("Audit netlink message truncated.");
	455	return;
	456	}
	457
	458	/* Ignore special Netlink messages */
	459	if (IN_SET(nl->nlmsg_type, NLMSG_NOOP, NLMSG_ERROR))
	460	return;
	461
	462	/* Below AUDIT_FIRST_USER_MSG theer are only control messages, let's ignore those */
	463	if (nl->nlmsg_type < AUDIT_FIRST_USER_MSG)
	464	return;
	465
0b97208d	466	process_audit_string(s, nl->nlmsg_type, NLMSG_DATA(nl), nl->nlmsg_len - ALIGN(sizeof(struct nlmsghdr)));
875c2e22 LP	467	}
875c2e22 LP	468
4d9ced99 LP	469	static int enable_audit(int fd, bool b) {
	470	struct {
	471	union {
	472	struct nlmsghdr header;
	473	uint8_t header_space[NLMSG_HDRLEN];
	474	};
	475	struct audit_status body;
	476	} _packed_ request = {
	477	.header.nlmsg_len = NLMSG_LENGTH(sizeof(struct audit_status)),
	478	.header.nlmsg_type = AUDIT_SET,
	479	.header.nlmsg_flags = NLM_F_REQUEST,
	480	.header.nlmsg_seq = 1,
	481	.header.nlmsg_pid = 0,
	482	.body.mask = AUDIT_STATUS_ENABLED,
	483	.body.enabled = b,
	484	};
	485	union sockaddr_union sa = {
	486	.nl.nl_family = AF_NETLINK,
	487	.nl.nl_pid = 0,
	488	};
	489	struct iovec iovec = {
	490	.iov_base = &request,
	491	.iov_len = NLMSG_LENGTH(sizeof(struct audit_status)),
	492	};
	493	struct msghdr mh = {
	494	.msg_iov = &iovec,
	495	.msg_iovlen = 1,
	496	.msg_name = &sa.sa,
	497	.msg_namelen = sizeof(sa.nl),
	498	};
	499
	500	ssize_t n;
	501
	502	n = sendmsg(fd, &mh, MSG_NOSIGNAL);
	503	if (n < 0)
	504	return -errno;
	505	if (n != NLMSG_LENGTH(sizeof(struct audit_status)))
	506	return -EIO;
	507
	508	/* We don't wait for the result here, we can't do anything
	509	* about it anyway */
	510
	511	return 0;
	512	}
	513
875c2e22 LP	514	int server_open_audit(Server *s) {
	515	static const int one = 1;
	516	int r;
	517
	518	if (s->audit_fd < 0) {
	519	static const union sockaddr_union sa = {
	520	.nl.nl_family = AF_NETLINK,
	521	.nl.nl_pid = 0,
	522	.nl.nl_groups = AUDIT_NLGRP_READLOG,
	523	};
	524
	525	s->audit_fd = socket(AF_NETLINK, SOCK_RAW\|SOCK_CLOEXEC\|SOCK_NONBLOCK, NETLINK_AUDIT);
	526	if (s->audit_fd < 0) {
	527	if (errno == EAFNOSUPPORT \|\| errno == EPROTONOSUPPORT)
	528	log_debug("Audit not supported in the kernel.");
	529	else
56f64d95	530	log_warning_errno(errno, "Failed to create audit socket, ignoring: %m");
875c2e22 LP	531
	532	return 0;
	533	}
	534
	535	r = bind(s->audit_fd, &sa.sa, sizeof(sa.nl));
4a62c710 MS	536	if (r < 0)
4a62c710 MS	537	return log_error_errno(errno, "Failed to join audit multicast group: %m");
875c2e22 LP	538	} else
	539	fd_nonblock(s->audit_fd, 1);
	540
	541	r = setsockopt(s->audit_fd, SOL_SOCKET, SO_PASSCRED, &one, sizeof(one));
4a62c710 MS	542	if (r < 0)
4a62c710 MS	543	return log_error_errno(errno, "Failed to set SO_PASSCRED on audit socket: %m");
875c2e22	544
8531ae70	545	r = sd_event_add_io(s->event, &s->audit_event_source, s->audit_fd, EPOLLIN, server_process_datagram, s);
23bbb0de MS	546	if (r < 0)
23bbb0de MS	547	return log_error_errno(r, "Failed to add audit fd to event loop: %m");
875c2e22	548
4d9ced99 LP	549	/* We are listening now, try to enable audit */
	550	r = enable_audit(s->audit_fd, true);
	551	if (r < 0)
da927ba9	552	log_warning_errno(r, "Failed to issue audit enable call: %m");
4d9ced99	553
875c2e22 LP	554	return 0;
875c2e22 LP	555	}